Can you explain this vulnerability to me?

CVE-2026-42074 is a critical sandbox bypass vulnerability in the OpenClaude project, an open-source coding-agent CLI. The issue arises because the parameter dangerouslyDisableSandbox is exposed in the BashTool input schema, allowing an untrusted Large Language Model (LLM) to set it to true in any tool_use response.

With the default setting allowUnsandboxedCommands set to true, this enables the model to escape the sandbox and execute arbitrary commands directly on the host system, leading to full host-level code execution.

The vulnerability is due to the shouldUseSandbox() function incorrectly disabling the sandbox when the model sets dangerouslyDisableSandbox to true and unsandboxed commands are allowed by default. This contradicts the project's threat model, which treats the model as an untrusted principal.

Proof-of-concept exploits include executing destructive commands like removing all files or exfiltrating sensitive data such as SSH keys.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker controlling the LLM to bypass sandbox restrictions and execute arbitrary commands on the host system.

• Full host-level code execution, which can lead to system compromise.
• Potential exfiltration of sensitive files, such as private SSH keys.
• Execution of destructive commands, including deleting critical files or data.

Overall, this can result in complete loss of system integrity, confidentiality, and availability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the OpenClaude instance is running a version prior to 0.5.1 where the dangerouslyDisableSandbox parameter is exposed and if the configuration allows unsandboxed commands (allowUnsandboxedCommands is true).

Detection can involve monitoring for suspicious tool_use responses from the LLM that include the dangerouslyDisableSandbox parameter set to true.

Additionally, you can look for evidence of sandbox bypass attempts such as execution of arbitrary commands outside the sandbox, for example commands that access sensitive files or open reverse shells.

Specific commands to detect exploitation attempts might include searching logs or monitoring processes for commands like:

• cat ~/.ssh/id_rsa
• rm -rf /
• Commands that open reverse shells or unexpected network connections.

Since the vulnerability is related to the BashTool input schema, inspecting the input payloads or logs for the presence of dangerouslyDisableSandbox: true in tool_use responses can help detect attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenClaude to version 0.5.1 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, you should set the configuration option allowUnsandboxedCommands to false to prevent the model from disabling the sandbox.

Additionally, review and remove any exposure of the dangerouslyDisableSandbox parameter from the BashTool and PowerShell tool schemas to ensure the model cannot control sandbox overrides.

Ensure that any sandbox override requires explicit trusted internal approval, not controlled by the model.

Monitoring and auditing tool_use responses for suspicious parameters or commands is also recommended as part of ongoing mitigation.

Useful 0 Not Useful 0